CVE-2026-24392
Stored XSS in HurryTimer β€ 2.14.2 Enables Persistent Script Injection
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nabil_lemsieh | hurrytimer | to 2.14.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24392 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress HurryTimer Plugin versions up to and including 2.14.2.
This vulnerability allows a malicious actor to inject harmful scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the site.
The issue is classified under OWASP Top 10 category A3: Injection and has a CVSS severity score of 5.9, indicating a moderate risk level.
Exploitation requires user interaction by a privileged user (such as an author or developer) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow attackers to inject malicious scripts into your website, which can execute when visitors access the site.'}, {'type': 'list_item', 'content': 'Attackers could redirect users to malicious sites.'}, {'type': 'list_item', 'content': 'Attackers could display unwanted advertisements or other harmful HTML content.'}, {'type': 'paragraph', 'content': "Such actions can harm your website's reputation, compromise user trust, and potentially lead to further security issues."}, {'type': 'paragraph', 'content': 'However, exploitation requires interaction by a privileged user, which limits the likelihood and impact.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Cross Site Scripting (XSS) vulnerability in the HurryTimer WordPress plugin involves identifying if the plugin version is 2.14.2 or earlier, as these versions are vulnerable.
Since the vulnerability requires user interaction and involves injection of malicious scripts, one way to detect it is by scanning for suspicious script injections or unusual HTML payloads in the web pages generated by the plugin.
Specific commands are not provided in the available resources, but common approaches include:
- Checking the installed plugin version via WP-CLI: `wp plugin list` to verify if HurryTimer is installed and its version.
- Using web vulnerability scanners or XSS detection tools to scan the website for stored XSS payloads.
- Manually reviewing input fields and stored content generated by HurryTimer for suspicious scripts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the HurryTimer WordPress plugin to version 2.14.3 or later, where this vulnerability has been patched.
Additionally, enabling the Patchstack auto-update feature for plugins can help ensure rapid protection against this and other vulnerabilities.
Until the update is applied, limiting privileged user interactions with untrusted content and monitoring for suspicious activity can reduce exploitation risk.